Command Line Reference Guide
NOTE: When ACL logging and byte counters are configured simultaneously, byte counters
may display an incorrect value. Configure packet counters with logging instead.
Related
Commands
deny tcp – assigns a filter to deny TCP packets.
deny udp – assigns a filter to deny UDP packets.
ip access-list extended – creates an extended ACL.
deny tcp
Configure a filter that drops transmission control protocol (TCP) packets meeting the filter criteria.
S5000
Syntax
deny tcp {source mask | any | host ip-address} [bit] [operator
port [port]] {destination mask | any | host ip-address} [dscp]
[bit] [operator port [port]] [count [byte]] [order] [monitor]
[fragments]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s sequence
number.
• Use the no deny tcp {source mask | any | host ip-address}
{
destination mask | any | host ip-address} command.
Parameters
source
Enter the IP address of the network or host from which the packets
are sent.
mask
Enter a network mask in /prefix format (/x) or A.B.C.D. The mask,
when specified in A.B.C.D format, may be either contiguous or non-
contiguous.
any Enter the keyword any to specify that all routes are subject to the
filter.
host
ip-address
Enter the keyword host and then enter the IP address to specify a
host IP address.
dscp Enter this keyword dscp to deny a packet based on the DSCP value.
The range is 0 to 63.
bit
Enter a flag or combination of bits:
• ack: acknowledgement field
• fin: finish (no more data from the user)
• psh: push function
• rst: reset the connection
• syn: synchronize sequence numbers
• urg: urgent field
192